If you run a WordPress site using the WebStack theme, there is no patch available for a critical vulnerability that lets anyone upload arbitrary files to your server. Versions up to and including 1.2024 are affected, and attackers do not need a user account to exploit it.
CVE-2026-1555 WebStack unauthenticated file upload: What Is CVE-2026-1555?
This is an unauthenticated arbitrary file upload vulnerability in the WebStack theme (CVSS 9.8, Critical). The issue is in the io_img_upload() function in inc/ajax.php and it does not validate the file type before processing uploads. Since the function is hooked into WordPress AJAX actions without authentication checks, anyone can send a POST request and upload any file to your server.
A malicious file upload can lead to remote code execution. The attacker uploads a PHP shell and gains full control of your site. From there they can steal data, inject malware, deface pages, or use your server for attacks on other sites.
CVE-2026-1555 WebStack unauthenticated file upload: Who Is Affected?
Sites running WebStack theme version 1.2024 or earlier are affected. WebStack is a directory/landing page theme with server navigation features, created by developer Owen. It is available on GitHub and various theme repositories.
The vulnerability was disclosed on April 15, 2026 by researcher Chiao-Lin Yu (Steven Meow) through the Wordfence bug bounty program. As of April 24, there is still no patch available.
How to Protect Your Site
Since no patch exists, here is what you can do right now:
- Switch to a different theme; if you rely on WebStack for a directory site, find an alternative that is actively maintained
- Add a file upload firewall rule or block PHP file execution in upload directories via .htaccess or server config if you cannot switch immediately
- Monitor for suspicious files and check your /wp-content/uploads/ directory for .php files or other unexpected uploads
- Run a vulnerability scan to scan your site for other vulnerable plugins and themes while you are at it
To block PHP execution in upload directories, add this to your .htaccess file:
<Files *.php>
Deny from all
</Files>If you use Nginx, add this to your server block:
location ~* /wp-content/uploads/.*.php$ {
deny all;
}These rules prevent PHP files in upload directories from executing, which blocks the most common exploitation path even if the upload itself succeeds.
Do It All With One Plugin
If you want to keep tabs on vulnerabilities like CVE-2026-1555 without manual monitoring, Trusti Security includes a Known Vulnerabilities Scanner that checks your themes and plugins against the WPVulnerability API. It can alert you when an installed theme or plugin has a known flaw before attackers can exploit it.
Trusti also has a Directory Protection module that does exactly what the manual .htaccess and Nginx rules above do with a single toggle. Enable it for wp-content/uploads, wp-includes, or even the entire wp-content directory. It writes the .htaccess rules automatically, supports exceptions for legitimate PHP files, and detects your server type to show the right instructions. Install Trusti Security for free from the WordPress plugin repository.
The Bottom Line
CVE-2026-1555 is a critical, unpatched vulnerability that gives unauthenticated attackers arbitrary file upload access to any site running WebStack 1.2024 or earlier. Switch themes or add upload directory protection immediately. Keep an eye on the WebStack GitHub repo for a patch release.